Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers
July 8, 2026
Fake Indian Tax Notices Deliver Dual RAT Malware
July 8, 2026
DuckDuckGo Browser Uses Community Filter Lists to Block YouTube Ads
July 8, 2026
Home/Threats/Fake Indian Tax Notices Deliver Dual RAT Malware
Threats

Fake Indian Tax Notices Deliver Dual RAT Malware

Key Takeaways A sophisticated new malware campaign is leveraging fake Indian tax notices to deploy two distinct Remote Access Trojans (RATs) onto victim systems. The attack employs a multi-stage...

Jennifer sherman
Jennifer sherman
July 8, 2026 5 Min Read
4 0

Key Takeaways

  • A sophisticated new malware campaign is leveraging fake Indian tax notices to deploy two distinct Remote Access Trojans (RATs) onto victim systems.
  • The attack employs a multi-stage infection chain, including DLL search-order hijacking and reflective loading, to establish persistent control and evade detection.
  • Targets are primarily users in India, lured by seemingly legitimate communications from the Income Tax Department and spoofed Microsoft verification pages.
  • The dual RAT deployment offers attackers redundancy, ensuring continued access even if one command-and-control channel is compromised or blocked.

Highly Sophisticated Campaign Uses Fake Indian Tax Notices to Deploy Dual RATs

A new, highly organized malware operation is exploiting the credibility of official Indian tax communications to trick users into installing not one, but two separate remote access trojans (RATs) on their computers. This campaign demonstrates an advanced level of planning, exceeding typical phishing attempts.

Table Of Content

  • Key Takeaways
  • Highly Sophisticated Campaign Uses Fake Indian Tax Notices to Deploy Dual RATs
  • The Deceptive Lure: Exploiting Trust
  • Six Stages to Dual RAT Deployment
  • Indicators of Compromise (IoCs):-
  • What You Should Do

The attackers craft convincing lures that mimic official notices from India’s Income Tax Department. These communications are designed to instill fear of penalties, coercing recipients into downloading malicious files. Once initiated, the infection progresses through a meticulously engineered six-stage process, culminating in two independent RATs operating stealthily in memory.

Each RAT establishes its own connection to a distinct command-and-control (C2) server. This dual-channel approach provides a critical redundancy for the attackers, ensuring continued access to compromised systems even if one C2 link is disrupted or detected. Security researchers first identified this operation targeting users across India, noting the government-themed decoys.

Analysts from Cyderes said in a report that they meticulously tracked the campaign’s entire technical trajectory. This included everything from the initial deceptive notice to the final payloads discreetly executing within legitimate system processes.

The Deceptive Lure: Exploiting Trust

The campaign’s effectiveness hinges on its use of authentic-looking government branding. References to the Ministry of Finance and the Enforcement Division are strategically placed to enhance the fake notices’ perceived legitimacy. Before the malware is even delivered, victims are directed to a spoofed Microsoft verification page, adding another layer of trust-building that makes the scheme particularly potent against unsuspecting users.

The infection begins on fraudulent websites designed to mirror the Indian Income Tax Department’s official portal. These sites uniformly feature an “/incometax” URL path and display a fabricated compliance notice. The message falsely claims the recipient’s organization has violated tax regulations and demands document submission within 72 hours to avert penalties. Clicking “Download Documents” redirects victims to a page branded as “Microsoft Edge Secure Gateway,” which then performs a series of fake security checks.

Upon the apparent completion of these checks, the browser initiates the download of a ZIP archive named Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip. This archive contains a legitimate signed executable alongside a malicious DLL, nvdaHelperRemote.dll. This pairing is engineered to exploit Windows DLL search order abuse. When the legitimate executable runs, it inadvertently loads the attacker’s malicious DLL instead of its genuine counterpart, providing the malware with a trusted entry point onto the system.

Six Stages to Dual RAT Deployment

Following the initial DLL sideload, the infection chain advances through several critical phases. It first achieves privilege escalation, often via a User Account Control (UAC) prompt, then installs a persistence service camouflaged as “Windows Mixed Reality Service.”

The malware subsequently retrieves a file from its infrastructure. This file appears to be an ordinary JPEG image but is, in fact, a polyglot file containing multiple encrypted payloads appended after the image data. This deceptive technique allows the file to bypass superficial inspections and basic content filters that only analyze file headers.

Later stages of the attack largely abandon disk activity. Instead, they employ reflective loading to unpack and execute code directly in memory, further complicating detection. The final phase involves injecting two distinct payloads into svchost.exe processes across all active user sessions. This ensures the malware maintains a persistent foothold, surviving user switches and operating within both service and interactive contexts.

The two ultimate implants are a Gh0st RAT derivative, capable of screen capture and communicating over port 6666, and a .NET implant from the Quasar or AsyncRAT family. The latter patches the Antimalware Scan Interface (AMSI) before loading, connecting via port 6351. The deployment of both RATs over separate command channels ensures that blocking one does not terminate the intrusion.

Forensic analysis of the compromise can leverage specific host artifacts, including the staged service, hidden lock files, and named global events. These indicators offer a clear path for incident response teams to scope and contain a confirmed breach. Recommended detection strategies include monitoring for signed binaries loading unsigned DLLs, the creation of unusual services pointing to unexpected paths, AMSI tampering preceding Common Language Runtime (CLR) initialization, and process injection targeting svchost.exe from suspicious sources.

Given the malware’s reliance on in-memory execution and the abuse of signed binaries to maintain a low profile while an operator retains full control, a layered defense strategy is crucial. Proactive threat hunting for these specific artifacts is more effective than relying on single-point detections to prevent escalation.

Indicators of Compromise (IoCs):-

Type Indicator Description
File Name Common_Offline_Utility_ITR-1_to_4_AY2026-27.zip Initial malicious archive delivered via fake tax portal
File Name COU_ITR-1_to_4_AY2026-27.exe Legitimate signed binary abused as sideload launcher
File Name nvdaHelperRemote.dll Malicious DLL sideloaded via DLL search-order hijack
File Name Mixed Reality.exe Copied host binary used to sideload staged DLL
File Name background.jpg Polyglot payload container hiding encrypted stages
File Name c:debug.txt Hidden debug log written by injector
File Name c:kkooPPP Lock file, Gh0st RAT derivative single-instance guard
File Name c:ouewo Lock file, AsyncRAT loader single-instance guard
File Name c:kkqqexit Kill file used as shutdown signal
Domain import[.]mom Lure hosting domain (path /incometax)
Domain tqkat[.]rest Lure hosting domain (path /incometax)
Domain generate[.]lat Lure hosting domain (path /incometax)
Domain meoou[.]rest Lure hosting domain (path /incometax)
Domain kattp[.]homes Lure hosting domain (path /incometax)
IP Address 118[.]107[.]0[.]197 Polyglot payload hosting server
URL hxxp[:]//118[.]107[.]0[.]197/ouewo[.]jpg Polyglot payload download URL
Domain kkxqbh[.]top Gh0st RAT derivative C2 (port 6666)
Domain ouewop[.]com AsyncRAT family C2 (port 6351)
Service Name MixedSvc / “Windows Mixed Reality Service” Malicious persistence service
Named Event Globalkkctsbnn Single-instance guard event
Named Event GlobalShitSetupOn26126k Setup-phase guard event
Mutex 5sGEm6Q4eTNv AsyncRAT mutex

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

What You Should Do

  • Educate Users: Conduct regular training on identifying phishing attempts, especially those impersonating government agencies or trusted brands like Microsoft. Emphasize vigilance against unsolicited emails and urgent demands.
  • Implement Email Security: Deploy robust email security solutions with advanced threat protection, including DMARC, DKIM, and SPF, to filter out malicious emails and prevent spoofing.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions capable of monitoring for suspicious behaviors such as signed binaries loading unsigned DLLs, unusual service creation, and process injection into legitimate system processes like svchost.exe.
  • Network Monitoring: Monitor network traffic for connections to known malicious domains or IP addresses (e.g., those listed in the IoCs), especially on unusual ports like 6666 and 6351.
  • Patch and Update Systems: Ensure all operating systems, applications, and security software are kept up-to-date to mitigate vulnerabilities that malware could exploit.
  • Disable Unnecessary Services: Review and disable any non-essential services, especially those that could be abused for persistence or privilege escalation.
  • Antimalware Scan Interface (AMSI) Protection: Implement and monitor AMSI-enabled security solutions to detect and block scripts and executables attempting to bypass security checks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchphishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

DuckDuckGo Browser Uses Community Filter Lists to Block YouTube Ads

Next Post

Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Claude Cowork Critical Flaw Exposes AI Sessions to Remote Access
July 8, 2026
Exposed Payload Generator Creates Polymorphic Banking Malware Variants for Banana RAT
July 8, 2026
Mycelium Framework: First AI-as-a-Service Botnet Discovered
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us